POISSON TYPE PHENOMENA FOR POINTS ON 
HYPERELLIPTIC CURVES MODULO p 
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Abstract. Let p be a large prime, and let C be a hyperelliptic curve over 
Fp. We study the distribution of the x-coordinates in short intervals when the 
y-coordinates lie in a prescribed interval, and the distribution of the distance 
between consecutive x-coordinates with the same property. Next, let g{P, Po) 
be a rational function of two points on C. We study the distribution of the 
above distances with an extra condition that g(Pi, Pi^i) lies in a prescribed 
interval, for any consecutive points Pi, Pi+i. 



1. Introduction 

Let p be a large prime. In [3], Cobeli and one of the authors considered the 
distribution of r-tuples of primitive roots modulo p. They showed that the distri- 
bution of primitive roots becomes Poissonian as p tends to infinity via a sequence 
of primes such that ip{p — — >■ 0. Moreover, they showed that the proportion of 
distances between consecutive primitive roots which are at least A times larger than 
the average value p/f{p — 1) tends to e""^. In this paper, we employ an analogous 
technique to study r-tuples of x-coordinates on a hyperelliptic curve modulo a large 
prime number p. 

Let C be a hyperelliptic curve over Fp defined by the equation = f{x), f not 
a square. Let I be an interval inside [0, (p— l)/2] with \I\ > pj loglogp, |I| = o(p). 
We consider the x-coordinates of the points (x, y) ^ C with y ^ I, and denote them 
< xi < ■ ■ ■ < Xm < P — 1- We study the distribution of the number of such x^'s 
in {x, X + t], where x itself is one of such x^'s, and t ^ Xp/ \I\. It turns out that 
under certain natural assumptions, as p increases, the distribution approaches the 
Poisson distribution with parameter A. 

Next, we consider the proportion of distances between consecutive x^'s which are 
at least A times greater than the asymptotic average p/ that is, 

M^ _ : 1 < « < m^Xi+i - Xi > Xp/ \I\} 

— 

m 

where m is the total number of such Xi, and Xm+i ~ xi +p. As p tends to infinity, 
we show that the limit of iJ,p{X) tends to e~^, and moreover, that this convergence 
is uniform on compact subsets of [0,cx)). 

Lastly, we go a step further and investigate to what extent the above Poisson 
distribution might be distorted via a rational function g(P, Pq) of two points P, Pq 
on the curve C. This builds on, and extends some ideas from [Tl]. More precisely, 
we study the distribution of the number of Xi^s in (x, x + t] as above, but with the 
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extra condition that g{Pi,Pi+i) G J, where J — [ap,l3p), and Pi = {xi,yi),Pi+i — 
{xi+i,yi+i) are points on C with yi,yi+i G ^- The resulting distribution is again 
Poisson, but with a different parameter A' = \{j3 — a). Regarding the proportion 
of distances between consecutive XiS satisfying the above extra condition, that is, 

1^ ON #{i-'^<i<m,x,+i-x,>\p/\I\,g{Pi,Pi+i)e[ap,l3p\} 

m 

we show that as p tends to infinity, /j,p(A,a,/3) tends to e~'^^''~"^ 

As an apphcation of our resuhs, we wih derive a result which shows how the 
distribution of distances between the a;-coordinates of points on an elliptic curve C 
is affected by the group law of C. This is our original motivation for studying this 
problem. 

2. Distribution of Values of Rational Maps on an affine curve in a 

HYPERCUBE MODULO p 

Since the Poisson distribution of a;-coordinates in short intervals without any 
distortion g and its corresponding limit distribution of consecutive difference can be 
derived from the case with distortion by simply setting J7=[0,p),i.e. a = 0,/3 = l, 
we will proceed directly to prove the results when distortion exists, and derive the 
case without distortion as a corollary. 

Let p be a large prime number, and let X be an irreducible affine curve over 
Ap, the affine r-space over Fp, given by the set of equations fi{x) = 0, where 
X = {xi, . . . , Xr), 1 < i < k. By the well known Weil bounds for space curves [1] 
(note that in our case X is affine instead of projective) we know that 



(2.1) \#X - p\ < 2gaVp, 

where ga denotes the arithmetic genus of X. Note that this formula works even 
when X is singular. 

Let g = (gi , . . . , gs) be a rational map from X to A^. Thus each gi is a quotient of 
polynomials in Fp[xi, . . . , Xr]- RecaU that the degree deg {gi) of gi is defined as the 
maximum between the degree of its numerator and the degree of its denominator. 
Define the degree of the rational map g to be deg (g) :— maxi<i<s deg (gi). 

For the convenience of the reader, we recall the notion of linear independence 
on a curve X. A set of functions {gi, . . . , gs} is linearly independent provided that 
if ci, . . . , Cs e Fp are such that cigi{x) + • • • + Csgs{x) = on the curve X , then 

Cl = •••=: Cs = 0. 

Let Ii , . . . , be intervals in [0, p) , and we view Ii x • • • x C A'' as a hypercube 
in the domain for which X is defined. Similarly, let J7i, . . . , J7s be intervals in [0,p), 
and view J7i x • • • x J7s C A* as a hypercube in the range of the rational map 
9 (51, ■ • • ,5s)- We define 
J^iX) — #{a; € X n {li X ■ ■ ■ X Xr)\x is not a pole of g,g{x) e Ji x ■ ■ ■ x J^} 

to be the number of points on X lying inside the hypercube Ii x • • • x 1^, whose 
images under g lie inside the hypercube Ji x ■ ■ ■ x J^. The main result of this 
section is the following theorem, which may be regarded as a uniform distribution 
result, where the intervals 1^, JT} are not too small. 

Theorem 2.1. Let X be as above, of degree d > I, and let \I\ denote the num- 
ber of integers inside the interval X. Let g — (gi, . . . , ^s) be a rational map with 
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1 < degg < d. Let p be a large prime, and assume that the set of functions 
{l,xi,.. . , Xr, gi{x), . . . ,gs{x)} is linearly independent on X. Then 



\Il\...\Ir\\Jl 



\Js 



„r+s-l 



< r+^did-i)^iog''+'p + oi^iog'- 



Remark 2.2. The uniform distribution problem of rational points over an irreducible 
variety in a hypercube was investigated by Myerson [10], and also Fujiwara [6] (see 
also [4] for the case of curves, but with more general regions). Their results were 
improved in the case for complete intersections by Shparlinski and Skorobogatov 
[TT] . Skorobogatov [13] and Luo [8]. On the other hand, the uniform distribution 
problem of rational maps was investigated by Vajaitu and one of the authors |14j 
(see also [15] and [7] for other related distribution problems). Here, we combine 
both ideas, and at the same time produce an explicit error term for later use. 

The first step in the proof of Theorem I2.1l is to rewrite J^{X) as an exponential 
sum. 



Lemma 2.3. Denote ep{y) = e'^'^'y/P, and let T = {(^i, 
and U — {(ui, . . . , Ug) : \uj\ < (p — l)/2}. We have 



,tr) : \t,\ < {p-l)/2} 



N{X) 



^ E H E ep(t»m,) 

(tl,...,tr)6T l<i<r VmiGli / 



^ E H E ep(Wj%) 

(ui,...,Us)eU l<j<s \nj&Jj 



X 



E e.p{~uigi{x) 



Usgs{x) - tixi 



0<Xi<p-l 



where means we ignore the poles of the gi 's when summing. 
Proof. From the orthogonal relation of the exponential sum 



ep{ti{m^ - Xi)) 

|t.|<(p-l)/2 

we sum over all possible m.^ S li to get 



\p if Xi = rui, 
I if 7^ m^, 



\ E E 



^ mteli |ti|<(p-l)/2 

In the same spirit, we get 



,{ti{m.i - Xi)) = 



1 ii Xi £ li, 

a Xi ^ li. 
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Therefore, 

^ n n Y ep(U{m,-x,))ep{uj{nj-hj{x)) 

^ l<i<r l<j<s mteli |ti|<(j9-l)/2 iij^Jj \uj\<(p-l)/2 

{1 if cc e Ii X • • • X and g{x) e Ji x ■ ■ ■ x Jg, 
otherwise. 

Finahy, Af{X) is the sum of the above quantity over ah possible x ^ X. By 
rearranging terms on the repeated sums we get the lemma. 

□ 

The main term of J^{X) corresponds to the term with all ti ^ Uj = in the 
above lemma, which is 

-^\I,\...\XA\Ji\...\Js\#X{¥p). 

By (HH), this is 



main term ^ . . .\Ir\\Ji\ . . . \Js\ [p + 0(Vp)) 

(2.2) = \I,\...\Ir\\Ji\... \Js\ + 0{{r + s)^). 

The following two lemmas estimate the remaining terms. 
Lemma 2.4. Let p he a large prime. For any interval T, we have 



< 2p\ogp. 



Proof. Letlnl^ {lj + l,...,l + h-l}, where h = \I\. Then 



if f = 0, 



e p 



Hence if < 7^ 0, 



711 



< 



l_e-2^it/p 



I 2 g — 27rit/p I 



if t 7^ 0. 



Since 1 1 — e 27rit/p | _ 2 | sin (vri /p) \ > for p large enough, we obtain the estimate 



Y ^pi^^) 

mQX 



2p p 
< — i- < — 

- TTltl- \t\ 



Finally, the lemma is obtained by summing over all t with 1 < |t| < {p— l)/2, using 
the elementary inequality 



1 

1+2 



1 



ITT < logp. 



□ 
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Lemma 2.5. If (ti, . . . ,tr,ui, . . . ,Us) ^ (0, ...,0), the degree d of X is greater 
than 1, 1 < deg (g) < d, and the set {l,xi, ... ,Xr, gi{x), gs{x)} is linearly 
independent on X , then 

ep{-uigi{x) Usgs{x)-tixi trXr) 



xex 

0<Xi<p-l 



<did^l)^+^d\ 



Proof. Apply Theorem 6 of ^2) to the projective closure of X. (Note that since 
1 < deg (g) < d, the assumption of that theorem is satisfied for all large enough 
p.) □ 

Proof of Theorem \2.1\ With the main term (|2.2p already established, we only have 
to estimate other terms corresponding to nonzero . . . , <r, ui, ■ • • , "s) in Lemma 
12.31 The innermost sum for those terms is estimated uniformly by Lemma l2.5l Now 
group those terms according to the number of nonzero ti and Uj , use Lemma 12.41 
for nonzero ti,Uj, and the trivial estimate X)m gi 6p(iimi) < p for ti — (or the 
equivalent for Uj = 0). We see that the absolute value of the remaining terms is 
less than or equal to 

(2*^+^ log''+^p + (r + s)2''+^-i log'+^-i ^"^^ ' log"^'"' P + ■ • ■ 

+ 2(r + s) logp) X {d{d - 1)^ + 

which is 

2^+^d{d - l)V^log'^+^p + 0(Vplog'^+^- V). 
This finishes the proof of Theorem 12.11 □ 



Remark 2.6. From the proof of Theorem 12.11 we see that if some of the intervals 
among lijjTj are the full interval [0,p), then we can loosen the linearly independent 
condition a little bit. This will be vital in our application later. 

Let li correspond to the coordinate functions Xi, and J7j correspond to the 
functions gj{x). From the proof of Lemma [2.31 we see that if any of the li or J} 
is the full interval, the exponential sum over that interval and its corresponding 
function can be omitted. Thus when we apply Bombieri's estimate in Lemma 12.51 
we can remove the function from the set we require to be linearly independent if 
its corresponding interval is the full one. 

As an example of how we make use of the above remark, we let r = s and g to be 
the identity map. Then it is not necessary to restrict our range to any subset. Hence 
all Jj's are full. From the remark we only need to ensure the set {l,xi, . . . ,Xr} 
is linearly independent, and this is true since the degree of X is d > 1. Thus we 
recover the uniform distribution theorem in , now with an explicit error term. 

Corollary 2.7. Let X be as usual, of degree d > 1, and \I\ denotes the number of 
integers inside X. Let 



N'{x) = #{x e (Zi X 



X !„)} 
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the number of points of X lying inside the hypercube Ii x • • • x I„ . If p is a large 
prime, then 

\Il\...\Ir 



N'{X) 



pr-l 



As another application, if we do not restrict our domain, that is if all I^'s are 
full, then using Reniark l2.6l we recover [T31 Theorem 1] in the special case where 
is a hypercube. 

3. r-TUPLES OF a;-COORDINATES OF A HYPERELLIPTIC CURVE MOD p WITH A 
PRESCRIBED RATIONAL FUNCTION 

For the remaining of the paper, we let C be a hyperelliptic curve over ¥p defined 
by the equation = f{x), with d = degf. We assume / is not a square in Fp(a;), 
so that C is irreducible. We are interested in the distribution of the distances 
between successive x-coordinates of points on C, subjected to a restricted range of 
a rational function in terms of the two successive points (we will make this precise in 
a moment). Our approach is inspired by [3], where the distribution of the distances 
between successive primitive roots mod p is studied. 

Let H — {hi, . . . , hr} be a subset of {1, 2, ... 1}. To each pair of (C,H), we 
define the x-shifted curve of C by C-h, to be the curve defined by the family of 
equations 

y' = /(^) 

yl = f{x + hi) 



Vr fix + K) 

in Ap+^ with the r + 2 coordinates x,y,yi, . . . ,yr (the shifted curve also appeared 
in [9], but the definition here is a little bit different). It is easy to see that Cy, is 
indeed a curve. 

Let 5* be the set of all x g Fp so that there is a j/ with {x, y) G C(Fp). From the 
definition of C-u, it is obvious that a point on C-u corresponds to an x such that x 
and X + hi are all in S for all hi gH. 

More generally, if I is an interval in [0,p), let Sx be the set of all x so that there 
is a ?/ G T with {x,y) G C(Fp). Then there is a correspondence from the set of 
points on Cn inside the hypercube {[0,p) x X^+^) to the set of x's so that all x and 
x + hi are in Sx for all hi £ %. 

Now suppose P = (x, y) and Pq — {xo,yo) are two points on C, g = g{P, Pq) = 
g{x,y,Xf),yQ) is a rational function between the 2 points. With respect to a point 
P — {x,y), we define Sx,j.p to be the set of all xq in Sx satisfying the extra 
condition g{P, Pq) £ J , for some Pq = (2:0, 2/o) on C with y^ £ X. If gi = g{P, Pi) = 
g{x, y,x + hi,yi) is the rational function obtained from g by putting in Pq = {x + 
hi,yi), and let g = (gi, . . . ,5^), then g is a rational function on C-u. It is clear 
that there is a correspondence from the set of points on C-u inside the hypercube 
{[0,p) X Z''+^) whose image under g lie in to the set of x's such that {P — (x, y) 
as usual) x + hi are in Sx,j,p for all hi £ H. 

To simplify matters, from now on we assume that the interval I C [0, (p — l)/2], 
so that one x- value can only correspond to at most one y- value, and hence the 
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above correspondence is bijective. We define JV{H) ~ ■N'{T~L] C,p, g,I, J) to be the 
number of points on C-u inside tlie liypercube ([0,p) x 1''+^) whose image under g 
he in J"^ . The following lemma gives an idea of the size oi N{'H). 

Lemma 3.1. Let C he a hyperelliptic curve defined by — f{x). Let T-L = 
{hi, . . . , hr\, f G ¥p[x] of degree d, not a square in ¥p[x\, and g{P, Pq) a rational 
function between two points in X, of degree degg < d, and the set . . . , ffr} 

is linearly independent on C-u . If d and r are small compared to p, then for all 
sufficiently large p, 



■ir+l 



N{H)- 



\J\' 



,2r 



< 2^'^+^rf(2'^d - l)v^log2'-+2p + 0(^log^'-+». 



Proof. It is easy to compute that D = degC-H = 2^d. Once we show that C-u is 
irreducible, this lemma will follow from replacing r by r + 2, letting s = r, Xi ~ X, 

= J and g — (51, . . . , (/r) (recall that gi — g{P, Pi)) in Theorem 12. II Note that 
by Remark |2 . 61 there is no need to include the function x in the set of functions we 
require to be linearly independent since its corresponding interval is full. 

We show the irreducibility of C-h by showing that the field 



K = ¥p{x) [^/m, v7F+M, ■ • ■ , Vfi^ + K) 

obtained by adjoining a square root of each of the f{x) and f{x + hi) is the function 
field of C-H. The condition that r is small compared to p ensures that if is a field 
extension of degree 2''+^ over ¥p(x). Now we proceed using induction on r. 
For r — this follows from the condition that / is not a square. 

Assume that Kr-i = ¥p{x) fix), \/ f{x + hi), . . . , f{x + hr) is the func- 
tion field of C-H', where %' = % — hr- Kr-i is a field of degree 2*" over ¥p{x). Let 



I = {V^ - f{x),yl- f{x + hi),...,yl 
we have an isomorphism 

^p{x)[y,yi, ...,yr 



fix + hr-i)) be the ideal of H'. Then 



obtained by sending y f{x), yi H' f{x - 
we can prove that the map 



>Kr-l 

hi). The induction is completed if 



(3.1) 



Kr-l[yr] 



Vr - fix + hr) 



= Kr-1 



^fix + hr) 



with yr I— > \/ fix + hr), is an isomorphism. The map (f> is clearly surjective, and 
from the degrees of the fields K,Kr~i over Fp(x), we see that K in a. vector space 
over Kr-i of dimension 2. Since the left hand side of p.ip has rank at most 2 over 
Kr-i, 4> must be an isomorphism. □ 



Remark 3.2. If is the full interval, then by using Lemma l2.61 we can remove the 
assumption that the set {1, gi, . . . , g^} is linearly independent on C-h- 

Remark 3.3. For the rest of the paper, we will assume that as p — )■ 00, we have d = 
oip), r = o(logp/loglogp), \I\ > p/loglogp, and J = [ap, I3p) (0 < a < /3 < 1). 
It is clear that under these conditions, the proof of Lemma l3 . 1 1 works and the main 
term has a bigger magnitude than the error term when p is sufficiently large. 



8 



KIT-HO MAK AND ALEXANDRU ZAHARESCU 



Next, if A,B are two disjoint sets of integers, we define 

N'iA,B) =MiA,B;C,p,I,J) 

to be the number of x such that x and x + a are in Sx.j for all a ^ A, but x + b are 
not in Sx^j for any b e B. To estimate J^{A,B), we introduce the characteristic 
function 

^1 iixeSx^j, 

otherwise. 



S{x) = 



Since in our case one x can correspond to at most one y, we can write J^{A, B) in 
terms of 5{x), 

x(ElO,p)aeA beB 

xelo,p)aeA ccB cec 

= E(-i)'" E n 

CCB xe[o,p)deAuc 
= 5](-l)l'^lAA(^UC). 

CCB 

Combining this with Lemma |3. 11 which says 
for some \6-u\ < 1, we get the following result. 

Theorem 3.4. LetA,B be two sets of integers distinct mod p. Then 



p2 J \y p2 



<23|-^l+4|e| + ld(2l-^l + l«ld-l)^l0g2|-^l+2|«l+2p + O(^log2|-^l+2|«l + lp). 



Remark 3.5. Theorem 13.41 only depends on the cardinality of A, B and also the 
number of integers in the interval Z, but not the particular elements in A, B and 
the position of I, J . It is interesting to compare Theorem 13.41 with Theorem 1 in 

El- 

We remind the reader that we have assumed that 
d = o(p), 1^1 , \B\ = o(logp/loglogp) and \X\ , \J\ > p/loglogp. 
See Remark [ 



4. The POISSON distribution of the a;-COORDINATES 

Recall that Sx is the set of all x so that there is a y € I with {x,y) G C, and 
for P = {x, y) e C, Sx,j.p is the set of all xo in Sx satisfying the extra condition 
g{P,Po) e J', for some Pq = (2:0,1/0) on C with yo G X. For t > 1 and /c a 
non- negative integer, we define Pfc(t) = Pk{t]C,p,g,I,J) to be the proportion of 
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X Cz Sx for which the interval (x, x + 1] contains exactly k elements in Sx^j^p with 
P = {x,y) as usual. Note that by Corollary 12.71 the cardinality of Sx satisfies 

\\Sx\ - \n < 4d(d- l)Vplog'p + O(Vplogp), 
or equivalently, for some \6\ < 1, 

(4.1) \Sx\ - \I\+ied{d-l)^\og'p + 0{^\ogp) 

= I 1 + + 0(logj3/ \I\) I . 

Next, we write Pk{t) in terms of the quantities M{A,B). 

CCU....J*]} 

\C\=k 

where C = {1, . . . , [i]} - C. 

For t = o(logp/ loglogp), k < t, \X\ > p/loglogp, and J — [ap,f3p), we can 
apply Theorem 13.41 and ()4.ip to obtain 



= 1 + + ^(logp/ |I|) 



/ 



cc{i, ....[*]} 

, |Cl=fc 



p J \ p 



with 



< 1. 



i? = ^0'24M+id(2[*ld - l)v^log2W+2p + 0(Vplog2W+V), 
This simplifies to 

where the constant in 0{p-^ log^^*^~^^ p) can be taken as 2''W+id(2[*l(i - 1). 

Suppose now p goes to infinity, while X = t\I\ /p remains fixed (so that t goes 
to infinity as p — )• oo, and automatically \I\ = o{p)). Note that the condition \X\ > 
p/ log log p guarantees that t = O (log log p) (so it is certainly o(logp/ loglogp)) and 
hence it guarantees that our formula works throughout the limiting process. We 
also have \ J'\ /p ^ {3 — a. As p — > oo, the error term is at most 0(p~^/^^'') for any 
5 > 0. Thus (|4.2p shows that asymptotically Pfe(i) has a Poisson distribution with 
parameter A(/3 — a): 



k 



P,(,)^e-(^-")(M-^ 
k\ 

for any non- negative integer k. More precisely, we have 

Theorem 4.1. Let k he a non-negative integer. Suppose t = O(loglogp), \T\ > 
p(loglogp)^/ logp, \2\ ~ o{p) and J — [ap, fip). Set \ — t\I\ jp, then as p goes to 
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infinity, we have 

Pk{t) = c-A(g~-a) HP ^0{{l+k+MlS'a))\I\/p) 

for any 5 > Q. 

For any real number A > 0, define /z(A,a,/3) = fi{X,a, l3;C,p,2) as in (|l.ip in 
the introduction. It is easy to see that this equals Po{t), with t ~ Xp/ Thus by 
putting fc = in Theorem 14. li we obtain 

Corollary 4.2. For any 6 > 0, under the conditions of Theorem \^.l\ we have 

Ai(A,a,/3) = e-^(^-")eO((i+^(^-"))/i°gi°gp) +0(pT^+*). 
Therefore, if we let p ^ oo, then 

lim ^iiX,a,P) = e-^(^-"). 

Moreover, the convergence is uniform on compact subsets of [0,oo). 

Proof. The only thing we still need to prove is the uniform convergence on compact 
subsets. Unlike the primitive root case considered in [3], this comes for free, since 
if p is large enough, every p satisfies the conditions of Theorem 14.11 □ 

An important special case is obtained by letting J' to be the full interval [0,p), 
and g{P,Po) — x{P), the a;-coordinates of the base point. Then if we let /u(A) = 
fi{X, 0, 1), this is the proportion of consecutive cc-coordinates in Sx whose distances 
are greater than Xp/ We get the following direct analogue of the primitive root 
case considered in [3]. 

Corollary 4.3. For any S > 0, under the conditions of Theorem \4-l\ and the 
additional condition that is the full interval [0,p), then asp tends to infinity, the 
distribution of the number of x-coordinates in Sx in short intervals approaches a 
Poisson distribution with parameter X: 

Also, the distribution of the distances between consecutive x-coordinates satisfies 

^(A) = e-^eO«i+^)/i°s>°sP) +0(pT^+*'). 
In particular, as p ^ 00, 

lim ^(A) = e"^. 

Remark 4.4. It is not absolutely necessary to consider {x,y) £ C to lie in the 
rectangle [0,p) xZ. For example, by a linear change of variable, we can consider any 
parallelogram which has length p (in the x-direction) , as long as the y-coordinates 
of the rectangle lie totally inside [0,{p — l)/2], and the width (in the y-direction) 
satisfies the requirement for \T\. 

For more general domains with piecewise smooth boundaries, one can apply the 
Lipschitz's principle on the number of integer points 5 . In that case, the error 
term will be much weaker, but the limiting process is still valid. 



1 + 



[Xp{l3-a) 



+Oip^+^) 
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Remark 4.5. It may also be interesting to see what happens if I is too big, say 
I = [0, (p — l)/2]. From (|4.2|) . which is still valid for this big I, we have 

As p — > oo with A = t |Z| /p kept constant, this just gives 

t]\ (I Y / 1 ^ '"'^ 



and hence 

Poit) ^ (1 - l/2(/3 - a)Y ^ (1 - l/2(/3 - 
which is never close to something like e^^. The reason is that as p ^ oo, t does 
not go to infinity accordingly, but stays more or less constant. 

5. An APPLICATION 

As an application of our results, we consider the distribution of z-coordinates of 
points on an elliptic curve in a rectangle, and the distortion of the distribution by 
the group law. More precisely, let E be an elliptic curve defined by = + ax + b 
over ¥p. Let 1 C [0, {p — l)/2] be an interval satisfying \X\ < p/ loglogp. We order 
the points Pi — {xi,yi) of C in the rectangle [0,p) x I according to the size of the 
^-coordinates: < < • • • < Xm < p. 

We are interested in the distribution of the distances between consecutive x- 
coordinates XiJ^i — Xi, where Xm+i = xi + p. By Corollarv l4.3[ the proportion of 
distances at least A times the asymptotic average p/ \I\ satisfies 

#{t : 1 < z < m, Xj+i - Xj > Xp/ \X\} _ _^ 

We now look at how the group law of the elliptic curve may distort the above 
distribution. Recall that (see for example |I2]) if Pi = {xi,yi),P2 = {x2,y2) are 
two points in C with x xq, the group law on C reads 

, v\ ( - yi V 

x{Pl + P2) = [ - Xi~ X2, 

\X2-X1J 

^^^\ tv , u\ - yi , ps yiX2 - y2Xi 
(5.1) y{Pi + P2) = x{Pi + P2) , 

X2 — Xi X2 — Xi 

-Pi = {x,-y). 

Fix an interval — [ap, jSp) . We want to see the proportion of consecutive points 
Pi,Pi+i (in the above sense) for which the distances between their ^-coordinates 
are large, and also the cc-coordinates of their differences x{Pi+i — Pi) lie inside J. 
From the group law (|5.ip above, we have 

CD v\ ( + yA ^ 

x(Pi+i - Pi) = -Xi- x^+i. 

\Xi+l - Xi J 

Suppose P = {x,y) is a base point, and Pi = {x + hi,yi). Take gi{P,Pi) = 

x{Pi — P) = —2x — hi to be the difference map. Before applying Corollary 

14. 2[ we need the following lemma. 

Lemma 5.1. The set {1, 51, . . . , 5^} is linearly independent on C-u for any % = 
{hi, hr}. 
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Proof. Fix any H ~ {hi, . . . , hr}. Suppose there are constants co, ci, . . . , Cr € Fp 
such that 

Co + Cl5l + . . . + Crgr = 

on Cfi, i.e. 

(5.2) Co + ci((/ir')'(yi + - 2a; - /ii) + . . . + c,((/i-i)2(j/, + y f - 2x - K) = 

on C^. Expand this equation and notice that due to the defining equations of C-u, 
all terms with y'^ and yf can be transformed into terms involving x only. This gives 

2ci{h^^fyyi + ... + 2cr{h-^fyyr + P{x) = 0, 

where P{x) is a polynomial in x with coefficients in Fp. Hence Ci{h~^^Y — for 8-11 
« = 1, 2, . . . , r. This implies Ci = for such i since hi ^ 0. By (|5.2p . we also have 
Co = 0. This completes the proof of the lemma. □ 

Now we can apply Corollarv l4.2l to get 
^.^^ #{1 <i <m : x.i+1 - Xi> \p/ \I\ and xjPj+i - Pj) £ [ap, fip)} _ 

Thus under the extra condition about the difference map between consecutive 
points, the distribution of the distance Xi+i — Xi is still of the same type, but 
with a different constant. Note that the new distribution only depends on the 
length of the interval [ap, but not on the group law. That is, we get similar 
results for any two-point rational function g{P, Pq). 

Acknowledgements. The authors wish to thank the referee for the suggestion of 
many improvements to this paper. 
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